There is a strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/f6ioe4sdpbY/s8tBAMPAAQAJ
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1842635]
External References: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
Statement: Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code.